JP2020068506A - Electronic control device, electronic control system, and program - Google Patents

Abstract

To provide an electronic control device capable of improving security measures against attacks on sensors.SOLUTION: An abnormality detection ECU 18 includes: a communication unit that receives a piece of laser sensor data from a laser sensor 4 via a sensor network 12, and receives a piece of control data that is generated on the basis of the laser sensor data for controlling a drive ECU 20 via a control network 16; a detection part that detects an error related to the sensor network 12; and a determination part that determines whether the received control data is abnormal or not when the communication unit receives the control data in a state that the detection part detects an error on the sensor network 12.SELECTED DRAWING: Figure 1

Description

  The present disclosure relates to an electronic control device, an electronic control system and a program.

  2. Description of the Related Art In recent years, automatic driving systems are known that automatically perform driving operations such as acceleration / deceleration, steering, and braking of vehicles. This automatic driving system includes a sensor that detects an object existing in front of the vehicle, and an electronic control unit that controls a driving operation of the vehicle based on sensor data from the sensor. The sensor and the electronic control unit are connected to each other via an in-vehicle network.

  For example, when an abnormal situation in which a large amount of data from an unauthorized external device is sent to the electronic control unit, such as a Dos attack (Denial of Service attack), the availability of the sensor data is impaired, and the electronic control is lost. There is a possibility that a driving operation of the vehicle which is not intended by the driver may be induced in the unit. Therefore, a monitoring device for monitoring the state of the in-vehicle network described above has been proposed (for example, see Patent Document 1).

JP, 2006-222649, A

  However, the above-described conventional monitoring device has a problem that security measures against attacks on the sensor cannot be said to be sufficient.

  Therefore, the present disclosure provides an electronic control device, an electronic control system, and a program that can further enhance security measures against attacks on sensors.

  An electronic control device according to an aspect of the present disclosure is an electronic control device that is connected to a first network to which a sensor is connected and is connected to a second network to which a control target is connected. A communication unit that receives sensor data from the first network via the first network, and receives control data generated based on the sensor data and for controlling the controlled object via the second network; A detection unit that detects an abnormality related to the first network, and the control data received when the communication unit receives the control data in a state where the detection unit detects an abnormality related to the first network. And a determination unit that determines whether or not is abnormal.

  Note that these comprehensive or specific aspects may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program, or a computer-readable CD-ROM (Compact Disc-Read Only Memory). It may be realized by any combination of the system, the method, the integrated circuit, the computer program, and the recording medium.

  According to the electronic control device and the like according to one aspect of the present disclosure, it is possible to further enhance security measures against attacks on the sensor.

FIG. 3 is a block diagram showing an outline of a communication system according to the first embodiment. 3 is a block diagram showing a functional configuration of an abnormality detection ECU according to the first to third embodiments. FIG. 3 is a flowchart showing a flow of operations of the abnormality detection ECU according to the first embodiment. 4 is a flowchart specifically showing the contents of step S102 of the flowchart of FIG. 5 is a flowchart showing a flow of operations of the abnormality detection ECU according to the second embodiment. 7 is a flowchart showing a flow of operations of the abnormality detection ECU according to the third embodiment. 7 is a flowchart specifically showing the content of step S301 of the flowchart of FIG. 6.

  An electronic control device according to an aspect of the present disclosure is an electronic control device that is connected to a first network to which a sensor is connected and is connected to a second network to which a control target is connected. A communication unit that receives sensor data from the first network via the first network, and receives control data generated based on the sensor data and for controlling the controlled object via the second network; A detection unit that detects an abnormality related to the first network, and the control data received when the communication unit receives the control data in a state where the detection unit detects an abnormality related to the first network. And a determination unit that determines whether or not is abnormal.

  According to this aspect, when the sensor data is falsified or the sensor data is spoofed due to an external attack on the sensor, for example, there is a high possibility that erroneous control of the control target by the control data is caused. . Therefore, when the communication unit receives the control data in a state where the detection unit detects the abnormality related to the first network, the determination unit determines whether the control data is abnormal. Thus, for example, even when the sensor is attacked from the outside, it is possible to suppress the erroneous control of the control target due to the control data by determining whether or not the control data is abnormal. As a result, security measures against attacks on the sensor can be further enhanced.

  For example, when the detection unit detects an abnormality related to the first network, the detection unit identifies the sensor that is the transmission source of the received sensor data as an abnormality generation source sensor, and the determination unit sets the detection unit to the detection unit. It may be configured to determine whether or not the received control data is abnormal, based on the identification result of.

  According to this aspect, it is possible to accurately determine whether or not the received control data is abnormal by using the identification result of the abnormality generation source sensor by the detection unit.

  For example, when the received control data is generated based on the sensor data from the abnormality source sensor, the determination unit determines that the control data is abnormal, and the received control data When the data is generated based on the sensor data from the sensor other than the abnormality source sensor, the control data may be determined not to be abnormal.

  According to this aspect, it is possible to accurately determine whether or not the received control data is abnormal.

  For example, when the determination unit further determines that the received control data is abnormal, it determines that the control of the control target by the control data cannot be continued, and the received control data When it is determined that is not abnormal, it may be configured to determine that the control of the control target by the control data can be continued.

  According to this aspect, when the determination unit determines that the received control data is not abnormal, it determines that the control of the control target by the control data can be continued. As a result, it is possible to avoid needlessly stopping the control of the controlled object.

  For example, the determination unit may be configured to further determine whether or not the control of the control target by the received control data can be continued based on the detection result by the detection unit.

  According to this aspect, it is possible to avoid wastefully stopping the control of the control target.

  For example, the electronic control device may further include a notifying unit that notifies the outside of the abnormality of the control data when it is determined that the received control data is abnormal.

  According to this aspect, since the notifying unit notifies the control data abnormality to the outside, it is possible to take appropriate measures against the control data abnormality.

  For example, the detection unit may be configured to detect that the network address of the sensor has been changed as the abnormality related to the first network.

  According to this aspect, as an attack on the sensor, it is possible to further enhance security measures when the network address of the sensor is changed.

  For example, the detection unit may be configured to detect that the communication amount of the sensor data per unit time exceeds a threshold as the abnormality related to the first network.

  According to this aspect, as an attack on the sensor, it is possible to further enhance security measures when the communication amount of sensor data per unit time exceeds a threshold value.

  For example, the detection unit may be configured to detect that the sensor data has been tampered with as the abnormality related to the first network.

  According to this aspect, it is possible to further enhance the security measures when the sensor data is tampered with as an attack on the sensor.

  For example, the detection unit may be configured to detect that the behavior of the sensor information indicated by the sensor data is abnormal, as the abnormality related to the first network.

  According to this aspect, as an attack on the sensor, it is possible to further enhance security measures when the behavior of the sensor information is abnormal.

  For example, the first network may be configured to be able to communicate at a higher speed than the second network.

  For example, the first network may be Ethernet (registered trademark) or FlexRay (registered trademark), and the second network may be CAN (Controller Area Network).

  An electronic control system according to an aspect of the present disclosure includes a first network connected to a sensor, a second network connected to a control target, the first network and the second network. An electronic control unit, wherein the electronic control unit receives sensor data from the sensor via the first network, generates control based on the sensor data, and controls the control target. A communication unit that receives data via the second network, a detection unit that detects an abnormality related to the first network, and the communication unit in a state where the detection unit detects an abnormality related to the first network. When the control data is received, a determination unit that determines whether or not the received control data is abnormal.

  According to this aspect, when the sensor data is falsified or the sensor data is spoofed due to an external attack on the sensor, for example, there is a high possibility that erroneous control of the control target by the control data is caused. . Therefore, when the communication unit receives the control data in a state where the detection unit detects the abnormality related to the first network, the determination unit determines whether the control data is abnormal. Thus, for example, even when the sensor is attacked from the outside, it is possible to suppress the erroneous control of the control target due to the control data by determining whether or not the control data is abnormal. As a result, security measures against attacks on the sensor can be further enhanced.

  A program according to an aspect of the present disclosure includes a process of receiving sensor data from a sensor via a first network, and control data generated based on the sensor data and for controlling a control target. The process of receiving via the second network, the process of detecting an abnormality related to the first network, and the process of receiving the control data in a state of detecting an abnormality related to the first network, A computer is made to perform the process which determines whether control data is abnormal.

  According to this aspect, similarly to the above, it is possible to further enhance security measures against attacks on the sensor.

  Note that these comprehensive or specific aspects may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program or a computer-readable CD-ROM, and the system, the method, the integrated circuit, the computer. It may be realized by any combination of programs or recording media.

  Hereinafter, embodiments will be specifically described with reference to the drawings.

  It should be noted that each of the embodiments described below shows a comprehensive or specific example. Numerical values, shapes, materials, components, arrangement positions and connection forms of components, steps, order of steps, and the like shown in the following embodiments are examples, and are not intended to limit the present disclosure. Further, among the constituent elements in the following embodiments, constituent elements that are not described in the independent claim showing the highest concept are described as arbitrary constituent elements.

(Embodiment 1)
[1-1. Communication system overview]
First, an outline of the communication system 2 according to the first embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an outline of the communication system 2 according to the first embodiment.

  The communication system 2 of the present embodiment is an automatic driving system that is installed in a vehicle such as an automobile and that automatically performs a driving operation of the vehicle. The communication system 2 is an example of an electronic control system.

  As shown in FIG. 1, the communication system 2 includes a laser sensor 4, a millimeter wave sensor 6, a camera sensor 8, a switch 10, a sensor network 12, an automatic driving ECU (Electric Control Unit) 14, and a control network. 16, an abnormality detection ECU 18, a drive ECU 20, and a steering ECU 22.

  The laser sensor 4 is a sensor for detecting an object existing around the vehicle using a laser, and is, for example, a LiDAR (Light Detection And Ranging). The laser sensor 4 outputs a laser sensor packet including sensor information. The sensor information included in the laser sensor packet is, for example, a) distance information indicating a distance between the host vehicle and another vehicle traveling in front of the host vehicle, and b) traveling speed of the host vehicle and the relevant information. It is relative speed information indicating a relative speed to a traveling speed of another vehicle traveling in front of the host vehicle. Further, the laser sensor packet includes the IP (Internet Protocol) address of the laser sensor 4 as information regarding the transmission source, and the IP addresses of the automatic driving ECU 14 and the abnormality detection ECU 18 as information regarding the destination. The laser sensor 4 transmits a laser sensor packet to each of the automatic driving ECU 14 and the abnormality detection ECU 18 via the sensor network 12 at a communication rate of 500 packets / second, for example. The laser sensor 4 is an example of a sensor, and the laser sensor packet is an example of sensor data.

  The millimeter wave sensor 6 is a sensor for detecting an object existing around the vehicle using millimeter waves. The millimeter wave sensor 6 outputs a millimeter wave sensor packet including sensor information. The sensor information included in the millimeter wave sensor packet is, for example, a) distance information indicating a distance between the host vehicle and another vehicle traveling in front of the host vehicle, and b) traveling speed of the host vehicle. It is relative speed information indicating a relative speed to a traveling speed of another vehicle traveling in front of the subject vehicle. Further, the millimeter wave sensor packet includes the IP address of the millimeter wave sensor 6 as information regarding the transmission source, and the IP addresses of the automatic driving ECU 14 and the abnormality detection ECU 18 as information regarding the destination. The millimeter wave sensor 6 transmits the millimeter wave sensor packet to each of the automatic driving ECU 14 and the abnormality detection ECU 18 via the sensor network 12 at a communication rate of 500 packets / second, for example. The millimeter wave sensor 6 is an example of a sensor, and the millimeter wave sensor packet is an example of sensor data.

  The camera sensor 8 is a sensor for capturing an image of an object existing around the vehicle. The camera sensor 8 outputs a camera sensor packet including sensor information. The sensor information included in the camera sensor packet is, for example, object recognition information indicating an image obtained by capturing an image of another vehicle traveling in front of the host vehicle. In addition, the camera sensor packet includes the IP address of the camera sensor 8 as information about the transmission source and the IP addresses of the automatic driving ECU 14 and the abnormality detection ECU 18 as information about the destination. The camera sensor 8 transmits a camera sensor packet to each of the automatic driving ECU 14 and the abnormality detection ECU 18 via the sensor network 12 at a communication rate of 500 packets / second, for example. The camera sensor 8 is an example of a sensor, and the camera sensor packet is an example of sensor data.

  The switch 10 is a gateway for interconnecting the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 with the automatic driving ECU 14 and the abnormality detection ECU 18. The switch 10 is arranged in the sensor network 12.

  The sensor network 12 is composed of Ethernet (registered trademark), for example, and is built inside the vehicle. The sensor network 12 is an example of the first network. The sensor network 12 can communicate sensor packets at a higher speed and with a larger capacity than the control network 16 described later. Although the sensor network 12 is configured by Ethernet (registered trademark) in the present embodiment, the present invention is not limited to this, and may be configured by, for example, FlexRay (registered trademark).

  The automatic driving ECU 14 is an electronic control unit for controlling an automatic driving operation of a vehicle in an advanced driver assistance system (ADAS: Advanced Driver Assistance System). The autonomous driving ECU 14 is connected to the monitor port of the switch 10. Further, the automatic driving ECU 14 is connected to the abnormality detection ECU 18, the drive ECU 20, and the steering ECU 22 via the control network 16. The autonomous driving ECU 14 generates a control packet for controlling the drive ECU 20 and the steering ECU 22 based on the laser sensor packet from the laser sensor 4, the millimeter wave sensor packet from the millimeter wave sensor 6, and the camera sensor packet from the camera sensor 8. To generate. For example, when a pedestrian or the like jumps out in front of the vehicle, the automatic driving ECU 14 causes the drive ECU 20 (or the steering ECU 22) to drive the vehicle based on the laser sensor packet, the millimeter wave sensor packet, and the camera sensor packet. A control packet for instructing to perform sudden braking (or sudden steering) is generated. The autonomous driving ECU 14 broadcasts the generated control packet to the abnormality detection ECU 18, the drive ECU 20, and the steering ECU 22 via the control network 16. The control packet is an example of control data.

  The control network 16 is composed of, for example, a CAN (Controller Area Network), and is built inside the vehicle. The control network 16 has a plurality of CAN buses for communicating according to the CAN protocol. The control network 16 is an example of the second network. In the present embodiment, the control network 16 is configured by CAN, but is not limited to this, and may be configured by CAN-FD (CAN with Flexible Data Rate) or the like.

  The abnormality detection ECU 18 is an electronic control unit for determining whether or not the control packet transmitted from the autonomous driving ECU 14 is abnormal when an abnormality regarding the sensor network 12 is detected. In the present specification, the abnormality relating to the sensor network 12 refers to an abnormality caused by an external attack on the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8. The abnormality detection ECU 18 is connected to the mirror port of the switch 10 and also connected to the autonomous driving ECU 14 via the control network 16. Further, the abnormality detection ECU 18 can communicate with the server device 26 arranged outside the vehicle via the external network 24 such as the Internet or a dedicated line. The server device 26 is a computer for managing the communication system 2. The abnormality detection ECU 18 is an example of an electronic control device. The functional configuration of the abnormality detection ECU 18 will be described later in detail.

  The drive ECU 20 is an electronic control unit for controlling acceleration / deceleration and braking of the vehicle. Specifically, the drive ECU 20 controls the drive motor for driving the wheels of the vehicle based on the control packet from the automatic driving ECU 14. For example, when a pedestrian or the like jumps out in front of the vehicle, the drive ECU 20 controls the drive motor so as to suddenly brake the vehicle based on the control packet from the automatic driving ECU 14. The drive ECU 20 is an example of a control target.

  The steering ECU 22 is an electronic control unit for controlling the steering of the vehicle. Specifically, the steering ECU 22 controls the steering motor for rotating the steering wheel of the vehicle based on the control packet from the automatic driving ECU 14. For example, when a pedestrian or the like jumps out in front of the vehicle, the steering ECU 22 steers the vehicle so as to steer the vehicle rightward (or leftward) based on the control packet from the autonomous driving ECU 14. To control. The steering ECU 22 is an example of a control target.

  In the present embodiment, the control target is configured by the drive ECU 20 and the steering ECU 22, but the control target is not limited to these, and may be configured by various ECUs such as a chassis ECU for controlling the chassis of the vehicle.

[1-2. Functional configuration of abnormality detection ECU]
Next, the functional configuration of the abnormality detection ECU 18 will be described with reference to FIGS. 1 and 2. FIG. 2 is a block diagram showing a functional configuration of the abnormality detection ECU 18 according to the first embodiment.

  As shown in FIG. 2, the abnormality detection ECU 18 includes a communication unit 28, a detection unit 30, a determination unit 32, and a notification unit 34.

  The communication unit 28 receives the laser sensor packet from the laser sensor 4, the millimeter wave sensor packet from the millimeter wave sensor 6, and the camera sensor packet from the camera sensor 8 via the sensor network 12. The communication unit 28 also receives a control packet from the autonomous driving ECU 14 via the control network 16. Further, the communication unit 28 transmits an abnormality notification signal (described later) from the notification unit 34 to the server device 26 via the external network 24.

  The detection unit 30 detects an abnormality regarding the sensor network 12 based on the received laser sensor packet, millimeter wave sensor packet, and camera sensor packet.

  The determination unit 32 determines that the received control packet is abnormal when the communication unit 28 receives the control packet from the autonomous driving ECU 14 while the detection unit 30 detects the abnormality related to the sensor network 12. .

  When the determination unit 32 determines that the control packet is abnormal, the notification unit 34 generates an abnormality notification signal for notifying the server device 26 of the abnormality of the control packet. The notification unit 34 outputs the generated abnormality notification signal to the communication unit 28. That is, the notification unit 34 notifies the external server device 26 of the abnormality of the control packet via the communication unit 28.

[1-3. Operation of abnormality detection ECU]
Next, the operation of the abnormality detection ECU 18 during automatic driving of the vehicle will be described with reference to FIGS. 3 and 4. FIG. 3 is a flowchart showing a flow of operations of the abnormality detection ECU 18 according to the first embodiment. FIG. 4 is a flowchart specifically showing the contents of step S102 of the flowchart of FIG.

  As shown in FIG. 3, the communication unit 28 receives the laser sensor packet from the laser sensor 4, the millimeter wave sensor packet from the millimeter wave sensor 6, and the camera sensor packet from the camera sensor 8 (S101). The detection unit 30 detects an abnormality regarding the sensor network 12 based on the received laser sensor packet, millimeter wave sensor packet, and camera sensor packet (S102). Specific processing in step S102 will be described in detail later.

  When the detection unit 30 does not detect an abnormality regarding the sensor network 12 (NO in S103), the communication unit 28 does not notify the server device 26 of the abnormality notification signal (S104). When ending the automatic driving control of the vehicle (YES in S105), the process ends. On the other hand, if the automatic driving control of the vehicle is to be continued (NO in S105), the process returns to step S101 described above.

  Returning to step S103, when the detection unit 30 detects an abnormality regarding the sensor network 12 (YES in S103), the determination unit 32 determines whether or not the communication unit 28 has received the control packet from the autonomous driving ECU 14. Yes (S106). Note that the determination unit 32 can determine that the detection unit 30 has detected the abnormality regarding the sensor network 12 by receiving the information (described later) regarding the abnormality from the detection unit 30.

  When the communication unit 28 has not received the control packet from the autonomous driving ECU 14 (NO in S106), the process proceeds to step S104 described above. On the other hand, when the communication unit 28 receives the control packet from the autonomous driving ECU 14 (YES in S106), the determination unit 32 determines that the received control packet is abnormal (S107).

  In this case, the notification unit 34 generates an abnormality notification signal and outputs the generated abnormality notification signal to the communication unit 28. The communication unit 28 transmits the abnormality notification signal from the notification unit 34 to the server device 26 (S108). Then, it progresses to step S105 mentioned above.

  In the present embodiment, the communication unit 28 transmits the abnormality notification signal to the server device 26 in step S108 described above, but the present invention is not limited to this. For example, the abnormality notification signal is transmitted to the automatic driving ECU 14. May be. Thereby, for example, the automatic driving ECU 14 can perform the degeneration control of the vehicle. Alternatively, the communication unit 28 may notify the driver of the vehicle of the abnormality of the control packet by transmitting an abnormality notification signal to the instrumental panel of the vehicle. Thereby, the driver can recognize that the abnormality of the control packet has occurred, and can take appropriate measures such as switching the driving of the vehicle from the automatic driving to the manual driving.

  Here, the process in step S102 of FIG. 3 will be specifically described with reference to FIG.

  As shown in FIG. 4, the detection unit 30 first sets 1 for at least one of the laser sensor packet from the laser sensor 4, the millimeter wave sensor packet from the millimeter wave sensor 6, and the camera sensor packet from the camera sensor 8. It is detected whether the number of packets per second exceeds 500 (S1021). That is, in the detection unit 30, one of the laser sensor packet from the laser sensor 4, the millimeter wave sensor packet from the millimeter wave sensor 6, and the camera sensor packet from the camera sensor 8 is the threshold value (500). Packet / second) is detected.

  When the number of packets per second exceeds 500 (YES in S1021), the detection unit 30 detects an abnormality regarding the sensor network 12 (S1022), and outputs information regarding the abnormality to the determination unit 32 (S1023). ). Specifically, the detection unit 30 uses, as the information regarding the abnormality, for example, the type of sensor in which the number of packets per second exceeds 500 (for example, “laser sensor”), and the number of detected packets per second. (Eg, “1000”) is output to the determination unit 32. After that, the process proceeds to YES in step S103 of FIG. 3 described above.

  When the number of packets per second does not exceed 500 (NO in S1021), the detection unit 30 causes the laser sensor packet from the laser sensor 4 and the millimeter wave sensor packet from the millimeter wave sensor 6 to return to step S1021. And, regarding the total number of camera sensor packets from the camera sensor 8, it is detected whether or not the total number of packets per second exceeds 1500 (S1024).

  When the total number of packets per second exceeds 1500 (YES in S1024), the detection unit 30 detects an abnormality regarding the sensor network 12 (S1022), and outputs information regarding the abnormality to the determination unit 32 ( S1023). Specifically, the detection unit 30 outputs, for example, the detected total number of packets per second (for example, “2000”) to the determination unit 32 as the information regarding the abnormality. After that, the process proceeds to YES in step S103 of FIG. 3 described above.

  Returning to step S1024, when the total number of packets per second does not exceed 1500 (NO in S1024), the detecting unit 30 determines that at least one IP of the laser sensor 4, the millimeter wave sensor 6 and the camera sensor 8 is selected. It is detected whether the address has been changed (S1025). Specifically, the detection unit 30 includes the respective IP addresses of the laser sensor 4, the millimeter wave sensor 6 and the camera sensor 8 stored in advance in a memory (not shown) of the abnormality detection ECU 18, the laser sensor packet, the millimeter wave. The source IP addresses included in the sensor packet and the camera sensor packet are compared. As a result of the comparison, the detection unit 30 detects that the source IP address included in each sensor packet has been changed if the two are different. The IP address is an example of a network address.

  When the IP address is changed (YES in S1025), the detection unit 30 detects an abnormality regarding the sensor network 12 (S1022), and outputs information regarding the abnormality to the determination unit 32 (S1023). Specifically, the detection unit 30 outputs to the determination unit 32, for example, the type of sensor whose IP address has been changed (for example, “camera sensor”) and the IP address change log, as information about the abnormality. After that, the process proceeds to YES in step S103 of FIG. 3 described above.

  Returning to step S1025, when the IP address has not been changed (NO in S1025), the detection unit 30 includes at least one of the laser sensor packet, the millimeter wave sensor packet, and the camera sensor packet in the sensor packet. It is detected whether or not the behavior of the sensor information is abnormal (S1026). The sensor information is, for example, the above-mentioned distance information, relative speed information, and object recognition information. When the behavior of the sensor information is abnormal, for example, a) the position of an object existing around the vehicle moves faster than expected, b) the relative speed exceeds a predetermined value, and , C) It is possible that an object suddenly appears around the vehicle.

  When the behavior of the sensor information is abnormal (YES in S1026), the detection unit 30 detects an abnormality regarding the sensor network 12 (S1022) and outputs information regarding the abnormality to the determination unit 32 (S1023). Specifically, the detection unit 30 includes, as the information regarding the abnormality, for example, a type of sensor including abnormal sensor information regarding behavior (for example, “camera sensor”), and abnormal sensor information regarding behavior (for example, “object recognition information”). )) Is output to the determination unit 32. After that, the process proceeds to YES in step S103 of FIG. 3 described above.

  Returning to step S1026, if the behavior of the sensor information is not abnormal (NO in S1026), the detection unit 30 determines whether at least one of the laser sensor packet, the millimeter wave sensor packet, and the camera sensor packet is a known attack. Whether or not it is detected (S1027). As a case where the sensor packet is a known attack, for example, a) tampering of the sensor packet is detected, and b) one sensor packet is received more from the same sensor (spoofing the sensor packet). .

  If the sensor packet is a known attack (YES in S1027), the detection unit 30 detects an abnormality regarding the sensor network 12 (S1022), and outputs information regarding the abnormality to the determination unit 32 (S1023). Specifically, the detection unit 30 uses, as the information on the abnormality, for example, the type of sensor that is the transmission source of the sensor packet that is a known attack (for example, “millimeter wave sensor”) and the type of attack of the sensor packet ( For example, “sensor packet tampering” or “sensor packet spoofing”) is output to the determination unit 32. After that, the process proceeds to YES in step S103 of FIG. 3 described above.

  When the sensor packet is not a known attack (NO in S1027), the detection unit 30 does not detect an abnormality regarding the sensor network 12 (S1028). Then, the process proceeds to NO in step S103 of FIG. 3 described above.

[1-4. effect]
For example, when the laser sensor 4, the millimeter-wave sensor 6, and the camera sensor 8 are attacked from the outside to tamper with each sensor packet or spoof each sensor packet, the drive ECU 20 and the steering ECU 22 are controlled by the control packet. There is a high possibility that miscontrol of will be caused. Therefore, when the communication unit 28 receives the control packet while the detection unit 30 detects the abnormality related to the sensor network 12, the determination unit 32 determines whether the control packet has an abnormality.

  Accordingly, even if the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 are attacked from the outside, for example, the drive ECU 20 and the steering ECU 22 based on the control packet are determined by determining whether or not the control packet is abnormal. It is possible to suppress the erroneous control of. As a result, it is possible to further enhance security measures against attacks on the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8.

(Embodiment 2)
[2-1. Functional configuration of abnormality detection ECU]
The functional configuration of the abnormality detection ECU 18A according to the second embodiment will be described with reference to FIG. FIG. 2 is a block diagram showing a functional configuration of the abnormality detection ECU 18A according to the second embodiment. In addition, in each of the following embodiments, the same components as those in the first embodiment are designated by the same reference numerals, and the description thereof will be omitted.

  As illustrated in FIG. 2, the detection unit 30A is a transmission source of sensor packets (laser sensor packet, millimeter wave sensor packet, and camera sensor packet) received when an abnormality related to the sensor network 12 (see FIG. 1) is detected. (The laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 shown in FIG. 1) are specified as the abnormality source sensor. 30 A of detection parts output a specific result (for example, the information regarding abnormality described in Embodiment 1) to 32 A of determination parts.

  The determination unit 32A determines whether or not the received control packet is abnormal based on the identification result by the detection unit 30A. Specifically, when the received control packet is generated based on the sensor packet from the abnormality source sensor, the determination unit 32A determines that the control packet is abnormal, and determines whether the control packet is abnormal. It is determined that the automatic driving control (that is, the control of the drive ECU 20 and the steering ECU 22 shown in FIG. 1) cannot be continued. For example, when the abnormality source sensor is identified as the laser sensor 4, and when the received control packet is generated based on the laser sensor packet from the laser sensor 4, the determination unit 32A causes the determination unit 32A to perform the control. It is determined that the packet is abnormal, and it is determined that the automatic driving control by the control packet cannot be continued.

  On the other hand, when the received control packet is generated based on the sensor packet from the sensor other than the abnormality source sensor, the determination unit 32A determines that the control packet is not abnormal, and It is determined that the packet-based automatic operation control can be continued. For example, when the abnormality source sensor is identified as the laser sensor 4 and the received control packet is generated based on the camera sensor packet from the camera sensor 8, the determination unit 32A causes the determination unit 32A to perform the control. It is determined that the packet is not abnormal, and it is determined that the automatic driving control by the control packet can be continued.

  The notification unit 34A notifies the automatic driving ECU 14 (see FIG. 1) that the automatic driving control cannot be continued when the determination unit 32A determines that the automatic driving control cannot be continued. A signal is generated, and the generated continuation impossible notification signal is output to the communication unit 28. In addition, when the determination unit 32A determines that the automatic driving control can be continued, the notification unit 34A generates a continuation possible notification signal for notifying the automatic driving ECU 14 that the automatic driving control can be continued. Then, the generated continuability notification signal is output to the communication unit 28.

[2-2. Operation of abnormality detection ECU]
Next, the operation of the abnormality detection ECU 18A during automatic driving of the vehicle will be described with reference to FIG. FIG. 5 is a flowchart showing a flow of operations of the abnormality detection ECU 18A according to the second embodiment. In the flowchart of FIG. 5, the same processes as those of the flowchart of FIG. 3 described above are designated by the same step numbers, and description thereof will be omitted.

  As shown in FIG. 5, steps S101 to S106 are executed as in the first embodiment. In step S106, when the communication unit 28 receives the control packet from the autonomous driving ECU 14 (YES in S106), the determination unit 32A determines whether the detection unit 30A identifies the abnormality source sensor ( S201).

  When the detection source 30A does not specify the abnormality source sensor (NO in S201), the determination unit 32A determines that the received control packet is abnormal (S202), and the automatic operation based on the control packet is performed. It is determined that the control cannot be continued (S203). In this case, the notification unit 34A generates the abnormality notification signal and the continuation impossible notification signal, and outputs the generated abnormality notification signal and the continuation impossible notification signal to the communication unit 28. The communication unit 28 transmits the abnormality notification signal and the continuation impossible notification signal from the notification unit 34A to the server device 26 (see FIG. 1) and the autonomous driving ECU 14 (S204). The autonomous driving ECU 14 may perform the degeneration control of the vehicle based on the continuation impossible notification signal from the abnormality detection ECU 18A. Then, it progresses to step S105 mentioned above.

  Returning to step S201, when the detection unit 30A identifies the abnormality generation source sensor (YES in S201), the determination unit 32A generates the received control packet based on the sensor packet from the abnormality generation source sensor. It is determined whether it has been done (S205).

  When the received control packet is generated based on the sensor packet from the abnormality source sensor (YES in S205), the process proceeds to step S202 described above. In this case, the notification unit 34A may add information regarding the abnormality source sensor to the continuation impossible notification signal. As a result, the automatic driving ECU 14 can obtain the information about the abnormality source sensor, and thus can continue the automatic driving control by the control packet generated by the sensor packet from the sensor other than the abnormality source sensor. it can.

  On the other hand, the received control packet is not generated based on the sensor packet from the abnormality source sensor, in other words, the received control packet is generated based on the sensor packet from another sensor other than the abnormality source sensor. If it is (NO in S205), the determination unit 32A determines that the received control packet is not abnormal (S206), and determines that the automatic driving control by the control packet can be continued (S207). ). In this case, the notification unit 34A generates a continuation possible notification signal and outputs the generated continuation possible notification signal to the communication unit 28. The communication unit 28 transmits the continuation possible notification signal from the notification unit 34A to the automatic driving ECU 14 (S208). The automatic driving ECU 14 continues the automatic driving control of the vehicle based on the continuation possible notification signal from the abnormality detection ECU 18A. Then, it progresses to step S105 mentioned above.

[2-3. effect]
As described above, when the received control packet is generated based on the sensor packet from the sensor other than the abnormality source sensor, the determination unit 32A determines that the control packet is not abnormal and , It is determined that the automatic driving control by the control packet can be continued. As a result, it is possible to avoid unnecessary stop of the automatic driving control by the automatic driving ECU 14.

(Embodiment 3)
[3-1. Functional configuration of abnormality detection ECU]
The functional configuration of the abnormality detection ECU 18B according to the third embodiment will be described with reference to FIG. FIG. 2 is a block diagram showing a functional configuration of the abnormality detection ECU 18B according to the third embodiment.

  As shown in FIG. 2, the determination unit 32B determines whether or not the automatic driving control based on the received control packet can be continued based on the detection result of the detection unit 30. When it is determined that the automatic driving control by the control packet cannot be continued, the determination unit 32B determines that the control packet is abnormal. On the other hand, when determining that the automatic driving control by the control packet can be continued, the determination unit 32B determines that the control packet is not abnormal.

  When the determination unit 32B determines that the automatic driving control cannot be continued, the notification unit 34B generates the continuation impossible notification signal described in the second embodiment, and the communication unit notifies the generated continuation impossible notification signal. To 28. Further, when the determination unit 32B determines that the automatic driving control can be continued, the notification unit 34B does not generate the continuation possible notification signal described in the second embodiment.

[3-2. Operation of abnormality detection ECU]
Next, the operation of the abnormality detection ECU 18B during automatic driving of the vehicle will be described with reference to FIGS. 6 and 7. FIG. 6 is a flowchart showing a flow of operations of the abnormality detection ECU 18B according to the third embodiment. FIG. 7 is a flowchart specifically showing the contents of step S301 of the flowchart of FIG. In the flowchart of FIG. 6, the same process as the process of the flowchart of FIG. 3 described above is given the same step number, and the description thereof is omitted.

  As shown in FIG. 6, steps S101 to S106 are executed as in the first embodiment. In step S106, when the communication unit 28 receives the control packet from the autonomous driving ECU 14 (see FIG. 1) (YES in S106), the determination unit 32B receives the control packet based on the detection result of the detection unit 30. It is determined whether the automatic driving control by the control packet can be continued (S301). The specific processing in step S301 will be described in detail later.

  When it is determined that the automatic driving control by the received control packet can be continued (YES in S302), the determination unit 32B determines that the received control packet is not abnormal (S303). In this case, the notification unit 34B generates an abnormality notification signal and outputs the generated abnormality notification signal to the communication unit 28. The abnormality notification signal is a signal for notifying the server device 26 (see FIG. 1) of an abnormality related to the sensor network 12. The communication unit 28 transmits the abnormality notification signal from the notification unit 34B to the server device 26 (S304). Then, it progresses to step S105 mentioned above.

  Returning to step S302, when the determination unit 32B determines that the automatic driving control based on the received control packet cannot be continued (NO in S302), the determination unit 32B determines that the received control packet is abnormal ( S305). In this case, the notification unit 34B generates the abnormality notification signal and the continuation impossible notification signal, and outputs the generated abnormality notification signal and the continuation impossible notification signal to the communication unit 28. The communication unit 28 transmits the abnormality notification signal and the continuation impossible notification signal from the notification unit 34B to the server device 26 and the autonomous driving ECU 14, respectively (S306). Then, it progresses to step S105 mentioned above.

  Here, the process in step S301 of FIG. 6 will be specifically described with reference to FIG. 7.

  As shown in FIG. 7, the determination unit 32B first determines whether or not the number of abnormal sensors among the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 (see FIG. 1) is one. (S3011). When the number of abnormal sensors among the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 is two or more (NO in S3011), the determination unit 32B determines whether the automatic driving control based on the received control packet is performed. It is determined that the continuation is impossible (S3012), and the process proceeds to NO in step S302 described above.

  Note that in step S3011, instead of the above-described determination condition, if the laser sensor 4 (LiDAR) is abnormal, the process may proceed from step S3011 to step S3012.

  Returning to step S3011, when the number of abnormal sensors among the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 is one (YES in S3011), the determination unit 32B determines the abnormal sensor information ( It is determined whether or not there is one type of distance information, relative speed information, and object recognition information (S3013). When there are two or more types of abnormal sensor information (NO in S3013), the determination unit 32B determines that the automatic driving control by the received control packet cannot be continued (S3012), and the above-described step S302. No to No.

  Note that in step S3013, instead of the above-described determination condition, if the distance information in the sensor information is abnormal, the process may proceed from step S3013 to step S3012. Further, in step S3013, instead of the above-described determination condition, if only the object recognition information of the sensor information is abnormal, the process may proceed from step S3013 to step S3014.

  Returning to step S3013, if there is only one type of abnormal sensor information (YES in S3013), the determination unit 32B determines whether an attack on the laser sensor 4, the millimeter wave sensor 6, and the camera sensor 8 can be identified. Is determined (S3014). When the attack cannot be identified (NO in S3014), the determination unit 32B determines that the automatic driving control by the received control packet cannot be continued (S3012), and proceeds to NO in step S302 described above. In addition, when the attack cannot be specified, for example, spoofing of sensor packets, denial of service attacks due to excess of the number of sensor packets, and the like are considered.

  Returning to step S3014, when the attack can be identified (YES in S3014), the determination unit 32B determines that the automatic driving control by the received control packet can be continued (S3015), and the above-described step S302. Go to YES. It should be noted that the case in which the attack can be identified may be, for example, the case where tampering with the sensor packet is detected.

[3-3. effect]
As described above, the determination unit 32B determines whether or not the automatic driving control by the received control packet can be continued based on the detection result by the detection unit 30. As a result, it is possible to avoid unnecessary stop of the automatic driving control by the automatic driving ECU 14.

(Other modifications)
Although the electronic control device and the electronic control system according to one or more aspects have been described above based on the above-described embodiments, the present disclosure is not limited to the above-described embodiments. Unless departing from the gist of the present disclosure, various modifications made by those skilled in the art are applied to each of the above-described embodiments, and a configuration in which components in different embodiments are combined is also included in one or more aspects. It may be included in the range.

  In each of the above embodiments, the electronic control unit is applied to the abnormality detection ECUs 18, 18A, 18B mounted in the automatic vehicle driving system, but the present invention is not limited to this, and is applied to, for example, an ECU mounted in any system. You may.

  In each of the above-described embodiments, as an application example of the abnormality detection ECUs 18, 18A, and 18B according to the present disclosure, application to security measures in an in-vehicle network mounted in a vehicle (automobile, etc.) has been described. The application range of the detection ECUs 18, 18A, 18B is not limited to this. The abnormality detection ECUs 18, 18A, and 18B according to the present disclosure are not limited to vehicles such as automobiles, and may be applied to any mobility such as a construction machine, an agricultural machine, a ship, a railroad, or an airplane.

  In each of the above-described embodiments, the abnormality detection ECUs 18, 18A, 18B detect an abnormality regarding the sensor network 12, but the present invention is not limited to this, and the switch 10 may detect an abnormality regarding the sensor network 12, for example. In this case, the abnormality detection ECUs 18, 18A, 18B and the switch 10 constitute an electronic control unit.

  In each of the above embodiments, the automatic driving ECU 14 and the abnormality detection ECUs 18, 18A, 18B are configured separately, but the invention is not limited to this. For example, the automatic driving ECU 14 has the functions of the abnormality detection ECUs 18, 18A, 18B. May be.

  In addition, in the above-described embodiment, each component may be configured by dedicated hardware, or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded in a recording medium such as a hard disk or a semiconductor memory.

  Further, some or all of the functions of the electronic control device according to the above-described embodiment may be realized by a processor such as a CPU executing a program.

  Some or all of the constituent elements of each of the above devices may be configured with an IC card that can be attached to and detached from each device or a single module. The IC card or the module is a computer system including a microprocessor, ROM, RAM and the like. The IC card or the module may include the above super-multifunctional LSI. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.

  The present disclosure may be the method shown above. Further, it may be a computer program that realizes these methods by a computer, or may be a digital signal including the computer program. The present disclosure also discloses a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, a MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD (Blu-ray (registered). It may be recorded in a trademark) Disc), a semiconductor memory, or the like. Further, the digital signal recorded on these recording media may be used. In addition, the present disclosure may transmit the computer program or the digital signal via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like. Further, the present disclosure may be a computer system including a microprocessor and a memory, the memory stores the computer program, and the microprocessor may operate according to the computer program. In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, thereby being implemented by another independent computer system. Also good.

  The electronic control device according to the present disclosure can be applied to, for example, an ECU mounted in an automatic driving system.

2 Communication system 4 Laser sensor 6 Millimeter wave sensor 8 Camera sensor 10 Switch 12 Sensor network 14 Autonomous driving ECU
16 Control network 18, 18A, 18B Abnormality detection ECU
20 Drive ECU
22 Steering ECU
24 external network 26 server device 28 communication unit 30, 30A detection unit 32, 32A, 32B determination unit 34, 34A, 34B notification unit

Claims (14)

An electronic control device connected to a first network to which a sensor is connected, and to a second network to which a control target is connected,
A communication unit that receives sensor data from the sensor via the first network, and receives control data for controlling the controlled object, which is generated based on the sensor data, via the second network. When,
A detection unit that detects an abnormality related to the first network;
A determination unit that determines whether or not the received control data is abnormal when the communication unit receives the control data in a state in which the detection unit detects an abnormality related to the first network,
An electronic control device including. The detection unit, when detecting an abnormality related to the first network, identifies the sensor that is the transmission source of the received sensor data as an abnormality generation source sensor,
The determination unit determines whether or not the received control data is abnormal based on the identification result by the detection unit,
The electronic control device according to claim 1. The determination unit,
When the received control data is generated based on the sensor data from the abnormality source sensor, it is determined that the control data is abnormal,
When the received control data is generated based on the sensor data from the sensor other than the abnormality source sensor, it is determined that the control data is not abnormal,
The electronic control device according to claim 2. The determination unit further includes
When it is determined that the received control data is abnormal, it is determined that the control of the control target by the control data cannot be continued,
When it is determined that the received control data is not abnormal, it is determined that the control of the control target by the control data can be continued,
The electronic control device according to claim 3. The determination unit further determines, based on the detection result by the detection unit, whether or not the control of the control target by the received control data can be continued.
The electronic control device according to claim 1. The electronic control device further includes a notification unit that notifies the outside of the abnormality of the control data when it is determined that the received control data is abnormal.
The electronic control device according to claim 1. The detection unit detects that the network address of the sensor has been changed as an abnormality related to the first network,
The electronic control device according to claim 1. The detection unit detects that the communication amount of the sensor data per unit time exceeds a threshold as an abnormality related to the first network,
The electronic control device according to claim 1. The detection unit detects that the sensor data has been tampered with as an abnormality related to the first network,
The electronic control device according to claim 1. The detection unit detects that the behavior of the sensor information indicated by the sensor data is abnormal, as the abnormality related to the first network,
The electronic control device according to claim 1. The first network can communicate at a higher speed than the second network,
The electronic control device according to claim 1. The first network is Ethernet (registered trademark) or FlexRay (registered trademark),
The second network is a CAN (Controller Area Network),
The electronic control device according to claim 11. A first network connected to the sensor,
A second network connected to the controlled object,
An electronic control device connected to the first network and the second network,
The electronic control unit,
A communication unit that receives sensor data from the sensor via the first network, and receives control data for controlling the controlled object, which is generated based on the sensor data, via the second network. When,
A detection unit that detects an abnormality related to the first network;
A determination unit that determines whether or not the received control data is abnormal when the communication unit receives the control data in a state in which the detection unit detects an abnormality related to the first network, Has,
Electronic control system. A process of receiving sensor data from the sensor via the first network,
A process of receiving, via a second network, control data generated based on the sensor data and for controlling a control target;
A process of detecting an abnormality relating to the first network;
A process of determining whether or not the received control data is abnormal when the control data is received in a state where an abnormality related to the first network is detected,
A program that causes a computer to execute.

Images